Homomorphic computation device, encryption system, and computer readable medium

ABSTRACT

An encryption device generates a ciphertext ct including an encryption element C in which a plaintext μ is set, an encryption element C x  in which an attribute x is set, and an encryption element F that is not to be decrypted with a decryption key sk f  corresponding to a policy f satisfied by the attribute x and in which the plaintext μ is set. A homomorphic computation device converts the ciphertext ct into a ciphertext ct ˜  by converting, with the encryption element F, the encryption element C included in the ciphertext ct into an encryption element C ˜  that can be decrypted with the decryption key sk F  corresponding to a policy set F acquired by a policy acquisition unit. The homomorphic computation device performs homomorphic computation g on the ciphertext ct ˜  to generate a ciphertext ct*.

TECHNICAL FIELD

The present invention relates to a technique for performing computation with data encrypted.

BACKGROUND ART

Homomorphic encryption is a cryptographic technique capable of computing with data encrypted. Recently, while the use of cloud services is becoming widespread, it is conceivable to store data in the cloud after encrypting the data, due to concerns about cracking and reliability of the cloud. Homomorphic encryption is a technique that enables cloud services to be used without compromising safety, because computations can be performed on encrypted data without decryption.

An encryption technique that enables flexible control of a decryptor in accordance with specified conditions in order to improve the convenience of homomorphic encryption is attribute-based homomorphic encryption. In the attribute-based homomorphic encryption, a ciphertext is related to a certain attribute, a decryption key is related to a certain decryption permission condition, and a correct plaintext can be obtained only when a ciphertext is decrypted with such a key having an attribute satisfying the decryption permission condition.

Non Patent Literature 1 describes the first method of the attribute-based homomorphic encryption. In the method described in Non Patent Literature 1, there is a problem that homomorphic computation can be performed only between ciphertexts related to a same attribute.

Non Patent Literature 2 describes a method of the attribute-based homomorphic encryption that solves the problem of Non Patent Literature 1.

Non Patent Literature 2 illustrates a configuration of two encryption techniques called single target attribute-based homomorphic encryption and multiple target attribute-based homomorphic encryption. The single target attribute-based homomorphic encryption is an encryption method that can perform homomorphic computation for a certain decryption permission condition as long as both ciphertexts are related to an attribute satisfying the condition. The multiple target attribute-based homomorphic encryption is an encryption method that can perform homomorphic computation for a plurality of decryption permission conditions as long as both ciphertexts are related to an attribute satisfying any of conditions.

CITATION LIST Non Patent Literature

-   Non Patent Literature 1: C. Gentry, A. Sahai, and B. Waters.     “Homomorphic Encryption from Learning with Errors:     Conceptually-Simpler, Asymptotically-Faster, Attribute-Based”. In     CRYPTO 2013, pages 75-92, 2013. -   Non Patent Literature 2: Z. Brakerski, D. Cash, R. Tsabary, and H.     Wee. “Targeted Homomorphic Attribute Based Encryption”. In TCC     2016-B, pages 330-360, 2016. -   Non Patent Literature 3: C. Peikert, and S. Shiehian “Multi-Key FHE     from LWE, revisited” 2016.

SUMMARY OF INVENTION Technical Problem

In the multiple target attribute-based homomorphic encryption illustrated in Non Patent Literature 2, a ciphertext Y obtained by performing homomorphic computation on a ciphertext X subject to computation is associated with a set F of decryption permission conditions that enable decryption of the ciphertext X subject to computation. In a case of performing homomorphic computation again with a different ciphertext Z before homomorphic computation with use of the ciphertext Y, homomorphic computation cannot be performed unless a decryption permission condition of the ciphertext Z is included in the set F of decryption permission conditions associated with the ciphertext Y.

Therefore, depending on decryption conditions of the ciphertexts X, Y, and Z, it is necessary to collect all the ciphertexts X, Y, and Z in advance and perform homomorphic computation at the same time. Therefore, for example, in performing homomorphic computation on encrypted time series data, an enormous storage capacity is required for collecting and holding all the time series data to be used for computation in advance.

It is an object of the present invention to enable flexible homomorphic computation.

Solution to Problem

A homomorphic computation device according to the present invention includes:

-   -   a ciphertext acquisition unit to acquire a ciphertext ct         including an encryption element C in which a plaintext μ is set,         an encryption element C_(x) in which an attribute x is set, and         an encryption element F in which the plaintext μ is set, the         encryption element F being not to be decrypted with a decryption         key sk_(f) corresponding to a policy f satisfied by the         attribute x;     -   a policy acquisition unit to acquire a policy set F that is a         set of policies;     -   a ciphertext conversion unit to convert the ciphertext et into a         ciphertext ct^(˜) by converting, with the encryption element F,         the encryption element C included in the ciphertext ct acquired         by the ciphertext acquisition unit into an encryption element         C^(˜) that can be decrypted with a decryption key sk_(F)         corresponding to the policy set F acquired by the policy         acquisition unit; and     -   a homomorphic computation unit to perform homomorphic         computation g on the ciphertext ct^(˜) converted by the         ciphertext conversion unit, to generate a ciphertext ct*.

Advantageous Effects of Invention

In the present invention, an encryption element C is converted into an encryption element C^(˜) with use of an encryption element F. This makes it possible to perform homomorphic computation without associating an element in the encryption element C with a policy set F. Therefore, it becomes possible to perform flexible homomorphic computation again by using a ciphertext ct* as an input.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a configuration diagram of an encryption system 10 according to a first embodiment.

FIG. 2 is a configuration diagram of a key generation device 20 according to the first embodiment.

FIG. 3 is a configuration diagram of an encryption device 30 according to the first embodiment.

FIG. 4 is a configuration diagram of a homomorphic computation device 40 according to the first embodiment.

FIG. 5 is a configuration diagram of a decryption device 50 according to the first embodiment.

FIG. 6 is a flowchart of Setup processing according to the first embodiment.

FIG. 7 is a flowchart of KeyGen processing according to the first embodiment.

FIG. 8 is a flowchart of Enc processing according to the first embodiment.

FIG. 9 is a flowchart of Eval processing according to the first embodiment.

FIG. 10 is a flowchart of Dec processing according to the first embodiment.

FIG. 11 is a configuration diagram of a key generation device 20 according to Modification 1.

FIG. 12 is a configuration diagram of an encryption device 30 according to Modification 1.

FIG. 13 is a configuration diagram of a homomorphic computation device 40 according to Modification 1.

FIG. 14 is a configuration diagram of a decryption device 50 according to Modification 1.

DESCRIPTION OF EMBODIMENTS First Embodiment

***Description of Configuration***

With reference to FIG. 1, a configuration of an encryption system 10 according to a first embodiment will be described.

The encryption system 10 includes a key generation device 20, an encryption device 30, a homomorphic computation device 40, and a decryption device 50.

The key generation device 20, the encryption device 30, the homomorphic computation device 40, and the decryption device 50 are connected via a network 60. As a specific example, the network 60 is the Internet. The network 60 may be another type of network such as a local area network (LAN).

With reference to FIG. 2, a configuration of the key generation device 20 according to the first embodiment will be described.

The key generation device 20 is a computer.

The key generation device 20 includes hardware of a processor 21, a memory 22, a storage 23, and a communication interface 24. The processor 21 is connected to other pieces of hardware via a signal line, and controls these other pieces of hardware.

The key generation device 20 includes an acquisition unit 211, a master key generation unit 212, a decryption key generation unit 213, and an output unit 214, as functional components. Functions of the acquisition unit 211, the master key generation unit 212, the decryption key generation unit 213, and the output unit 214 are realized by software.

The storage 23 stores a program for realizing functions of the acquisition unit 211, the master key generation unit 212, the decryption key generation unit 213, and the output unit 214. This program is read into the memory 22 by the processor 21 and executed by the processor 21. Thus, functions of the acquisition unit 211, the master key generation unit 212, the decryption key generation unit 213, and the output unit 214 are realized.

In addition, the storage 23 realizes a function of a master key storage unit 231.

With reference to FIG. 3, a configuration of the encryption device 30 according to the first embodiment will be described.

The encryption device 30 is a computer.

The encryption device 30 includes hardware of a processor 31, a memory 32, a storage 33, and a communication interface 34. The processor 31 is connected to other pieces of hardware via a signal line, and controls these other pieces of hardware.

The encryption device 30 includes an acquisition unit 311, an encryption unit 312, and an output unit 313, as functional components. Functions of the acquisition unit 311, the encryption unit 312, and the output unit 313 are realized by software.

The storage 33 stores a program for realizing functions of the acquisition unit 311, the encryption unit 312, and the output unit 313. This program is read into the memory 32 by the processor 31 and executed by the processor 31. Thus, functions of the acquisition unit 311, the encryption unit 312, and the output unit 313 are realized.

In addition, the storage 33 realizes a function of a public parameter storage unit 331.

With reference to FIG. 4, a configuration of the homomorphic computation device 40 according to the first embodiment will be described.

The homomorphic computation device 40 is a computer.

The homomorphic computation device 40 includes hardware of a processor 41, a memory 42, a storage 43, and a communication interface 44. The processor 41 is connected to other pieces of hardware via a signal line, and controls these other pieces of hardware.

The homomorphic computation device 40 includes an acquisition unit 411, a ciphertext conversion unit 412, a homomorphic computation unit 413, and an output unit 414, as functional components. The acquisition unit 411 includes a public parameter acquisition unit 415, a ciphertext acquisition unit 416, a policy acquisition unit 417, and a computation acquisition unit 418. Functions of the acquisition unit 411, the ciphertext conversion unit 412, the homomorphic computation unit 413, the output unit 414, the public parameter acquisition unit 415, the ciphertext acquisition unit 416, the policy acquisition unit 417, and the computation acquisition unit 418 are realized by software.

The storage 43 stores a program for realizing functions of the acquisition unit 411, the ciphertext conversion unit 412, the homomorphic computation unit 413, the output unit 414, the public parameter acquisition unit 415, the ciphertext acquisition unit 416, the policy acquisition unit 417, and the computation acquisition unit 418. This program is read into the memory 42 by the processor 41 and executed by the processor 41. Thus, functions of the acquisition unit 411, the ciphertext conversion unit 412, the homomorphic computation unit 413, the output unit 414, the public parameter acquisition unit 415, the ciphertext acquisition unit 416, the policy acquisition unit 417, and the computation acquisition unit 418 are realized.

In addition, the storage 43 realizes functions of a public parameter storage unit 431 and a ciphertext storage unit 432.

With reference to FIG. 5, a configuration of the decryption device 50 according to the first embodiment will be described.

The decryption device 50 is a computer.

The decryption device 50 includes hardware of a processor 51, a memory 52, a storage 53, and a communication interface 54. The processor 51 is connected to other pieces of hardware via a signal line, and controls these other pieces of hardware.

The decryption device 50 includes an acquisition unit 511, a decryption unit 512, and an output unit 513, as functional components. Functions of the acquisition unit 511, the decryption unit 512, and the output unit 513 are realized by software.

The storage 53 stores a program for realizing functions of the acquisition unit 511, the decryption unit 512, and the output unit 513. This program is read into the memory 52 by the processor 51 and executed by the processor 51. Thus, functions of the acquisition unit 511, the decryption unit 512, and the output unit 513 are realized.

In addition, the storage 53 realizes functions of a key storage unit 531, a condition storage unit 532, and a result storage unit 533.

The processors 21, 31, 41, and 51 are integrated circuits (ICs) that perform computation processing. As a specific example, the processors 21, 31, 41, and 51 are a central processing unit (CPU), a digital signal processor (DSP), or a graphics processing unit (GPU).

The memories 22, 32, 42, and 52 are storage devices that temporarily store data. As a specific example, the memories 22, 32, 42, and 52 are a static random access memory (SRAM) or a dynamic random access memory (DRAM).

The storages 23, 33, 43, and 53 are storage devices that store data. As a specific example, the storages 23, 33, 43, and 53 are a hard disk drive (HDD). In addition, the storages 23, 33, 43, and 53 may be a portable storage medium such as a secure digital (SD, registered trademark) memory card, a compact flash (CF), a NAND flash, a flexible disk, an optical disk, a compact disk, a Blu-Ray (registered trademark) disk, or a digital versatile disk (DVD).

The communication interfaces 24, 34, 44, and 54 are interfaces to communicate with external devices. As a specific example, the communication interfaces 24, 34, 44, and 54 are ports of Ethernet (registered trademark), a universal serial bus (USB), or a high-definition multimedia interface (HDMI, registered trademark).

In FIG. 2, only one processor 21 is illustrated. However, the key generation device 20 may include a plurality of processors substituting for the processor 21. Similarly, the encryption device 30 may include a plurality of processors substituting for the processor 31, the homomorphic computation device 40 may include a plurality of processors substituting for the processors 41, and the decryption device 50 may include a plurality of processors substituting for the processor 51. These plurality of processors share execution of a program for realizing a function of each functional component. Similarly to the processors 21, 31, 41, and 51, each processor is an IC that performs computation processing.

***Description of Operation***

With reference to FIGS. 6 to 10, an operation of the encryption system 10 according to the first embodiment will be described.

The operation of the encryption system 10 according to the first embodiment corresponds to an encryption method according to the first embodiment. Further, the operation corresponds to processing of an encryption program according to the first embodiment.

The operation of the encryption system 10 is divided into Setup processing, KeyGen processing, Enc processing, Eval processing, and Dec processing.

In the following description, the description is made focusing on parts different from the contents described in Non Patent Literature 2, and some explanation is omitted since parts same as the contents described in Non Patent Literature 2 are contents already known.

Reference symbols in the following description will be described.

n, q, and χ are parameters in a learning with errors (LWE) problem. The LWE problem is a known problem. A decisional LWE problem (DLWE problem) is defined as follows.

<DLWE Problem>

Suppose that λ is a security parameter, n=n (λ) and q=q (λ) are integers, and χ=χ(λ) is probability distribution on an integer Z. The problem of DLWE_(n,q,χ) is that (A, s^(T)A+e^(T)) and (A, u^(T)) are computationally indistinguishable when Formula 11 holds for all m=poly(n). A←

_(q) ^(n×m) ,s←

_(q) ^(n) ,e←χ ^(m) ,u←

_(q) ^(m)  [Formula 11]

m, N, M, and g^(T) are as represented in Formula 12. m=O(n log q), n:=┌log q┐, M:=(m+N+1)┌log q┐, g ^(T):=(1,2, . . . ,2┌log q┐)  [Formula 12]

For any x∈Z_(q), y represented in Formula 13 is a vector that satisfies Formula 14. y:=g ⁻¹(x)∈{0,1}┌log q┐  [Formula 13]

y,g

=x∈

_(q)  [Formula 14]

For any natural numbers n and m, I_(n) is a unit matrix of n rows and n columns, and 0_(n×m) is a matrix of n rows and m columns with all elements 0. For any i∈[n], e_(i)∈{0, 1}^(n) is a standard basis vector in which n-th element is 1 and others are 0. Note that i∈[n] means i=1, . . . n.

F⊆{0, 1}^(L)→{0, 1} is a class of a policy that can be calculated by Boolean circuit of a depth d_(F). G⊆{0, 1}*→{0, 1} is a class of computation that can be calculated by Boolean circuit of a depth d_(G).

With reference to FIG. 6, the Setup processing according to the first embodiment will be described.

The Setup processing is mainly executed by the key generation device 20 at a time of initial setting or the like of the encryption system 10. The Setup processing according to the first embodiment corresponds to a master key generation method and processing of a master key generation program according to the first embodiment.

(Step S11: Acquisition Process)

The acquisition unit 211 of the key generation device 20 acquires the parameters λ, L, d_(F), and d_(G).

Specifically, the acquisition unit 211 accepts the parameters λ, L, d_(F), and d_(G) inputted by an administrator or the like of the encryption system 10, via the communication interface 24. The acquisition unit 211 writes the accepted parameters λ, L, d_(F), and d_(G) into the memory 22.

(Step S12: Master Key Generation Process)

The master key generation unit 212 of the key generation device 20 generates a pair of a public parameter pp and a master secret key msk.

Specifically, the master key generation unit 212 generates a pair (A, A_(τ0) ⁻¹) of a matrix A and a trapdoor A_(τ0) ⁻¹, as represented in Formula 15.

$\begin{matrix} {\left( {A,A_{\tau\; 0}^{- 1}} \right)\overset{R}{\leftarrow}{{TrapGen}\left( {1^{n},q,m} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 15} \right\rbrack \end{matrix}$

The TrapGen algorithm is described in Non Patent Literature 2. Here, the matrix A is a matrix represented in Formula 16, and the trapdoor A_(τ0) ⁻¹ is an algorithm represented in Formula 17. A∈

_(q) ^(n×m)  [Formula 16] A _(τ0) ⁻¹(u)=x, Ax=u  [Formula 17]

The master key generation unit 212 generates matrices B, B₀, B₁, . . . , B_(L) and defines B^(→) _(x), as represented in Formula 18.

$\begin{matrix} {B,B_{0},B_{1},\ldots\mspace{14mu},{B_{L}\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n \times N}},{{\overset{\rightarrow}{B}}_{x}:=\left\lbrack {B_{1},\ldots\mspace{14mu},B_{L}} \right\rbrack}} & \left\lbrack {{Formula}\mspace{14mu} 18} \right\rbrack \end{matrix}$

The master key generation unit 212 generates a vector v and a seed σ of pseudo random function (PRF) as represented in Formula 19.

$\begin{matrix} {{v\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n}},{\sigma\overset{R}{\leftarrow}{{PRF}.{{Gen}\left( 1^{\lambda} \right)}}}} & \left\lbrack {{Formula}\mspace{14mu} 19} \right\rbrack \end{matrix}$

The PRF.Gen algorithm is described in Non Patent Literature 2.

The master key generation unit 212 sets (A, B₀, B^(→) _(x), B, v) as the public parameter pp, and (A_(τ0) ⁻¹, σ) as the master secret key msk. The master key generation unit 212 writes the public parameter pp into the memory 22, and writes the public parameter pp and the master secret key msk into the master key storage unit 231.

(Step S13: Output Process)

The output unit 214 of the key generation device 20 outputs the public parameter pp.

Specifically, the output unit 214 reads the public parameter pp from the memory 22. Then, the output unit 214 transmits the public parameter pp to the encryption device 30, the homomorphic computation device 40, and the decryption device 50 via the communication interface 24.

(Step S14: Public Parameter Acquisition Process)

The acquisition unit 311 of the encryption device 30, the public parameter acquisition unit 415 of the homomorphic computation device 40, and the acquisition unit 511 of the decryption device 50 acquire the public parameter pp.

Specifically, the acquisition unit 311 receives the public parameter pp transmitted by the output unit 214, via the communication interface 34. The acquisition unit 311 writes the received public parameter pp into the public parameter storage unit 331.

Further, the public parameter acquisition unit 415 of the homomorphic computation device 40 receives the public parameter pp transmitted by the output unit 214, via the communication interface 44. The public parameter acquisition unit 415 writes the received public parameter pp into the public parameter storage unit 431.

In addition, the acquisition unit 511 of the decryption device 50 receives the public parameter pp transmitted by the output unit 214, via the communication interface 54. The acquisition unit 511 writes the received public parameter pp into the key storage unit 531.

That is, the key generation device 20 executes the Setup algorithm represented in Formula 20 to generate the public parameter pp and the master secret key msk.

$\begin{matrix} {{{Setup}\left( {1^{\lambda},1^{L},1_{\mathcal{F}}^{d},1_{\mathcal{G}}^{d}} \right)}{\left( {A,A_{\tau_{0}}^{- 1}} \right)\overset{R}{\leftarrow}{{TrapGen}\left( {1^{n},q,m} \right)}},B,B_{0},B_{1},\ldots\mspace{14mu},{B_{L}\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n \times N}},{{\overset{\rightarrow}{B}}_{x\;}{\text{:=}\;\left\lbrack {B_{1},\ldots\mspace{14mu},B_{L}} \right\rbrack}},{v\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n}},{\sigma\overset{R}{\leftarrow}{{PRF}.{{Gen}\left( 1^{\lambda} \right)}}},{{return}\mspace{14mu}{pp}\mspace{11mu}\text{:=}\mspace{11mu}\left( {A,B_{0},{\overset{\rightarrow}{B}}_{x},B,v} \right)},{{msk}\mspace{11mu}\text{:=}{\left( {A_{\tau_{0}},\sigma} \right).}}} & \left\lbrack {{Formula}\mspace{14mu} 20} \right\rbrack \end{matrix}$

With reference to FIG. 7, the KeyGen processing according to the first embodiment will be described.

The KeyGen processing is mainly executed by the key generation device 20 in generating a new decryption key sk_(f). The KeyGen processing according to the first embodiment corresponds to a decryption key generation method and processing of a decryption key generation program according to the first embodiment.

(Step S21: Decryption Key Request Process)

The acquisition unit 511 of the decryption device 50 requests the key generation device 20 to generate the decryption key sk_(f).

Specifically, the acquisition unit 511 accepts a policy f indicating a decryption permission condition inputted by a user or the like of the decryption device 50. For the policy f, for example, an attribute of the user is set. Then, the acquisition unit 511 transmits the inputted policy f to the key generation device 20, and requests generation of the decryption key sk_(f) associated with the policy f.

The acquisition unit 511 writes the policy f transmitted when the generation of the decryption key sk_(f) is requested, into the condition storage unit 532.

(Step S22: Acquisition Process)

The acquisition unit 211 of the key generation device 20 acquires the policy f.

Specifically, the acquisition unit 211 receives the policy f transmitted from the decryption device 50, via the communication interface 24. The acquisition unit 211 writes the received policy f into the memory 22.

(Step S23: Decryption Key Generation Process)

The decryption key generation unit 213 of the key generation device 20 generates the decryption key sk_(f) associated with the policy f.

Specifically, the decryption key generation unit 213 reads the policy f from the memory 22, and reads the public parameter pp and the master secret key msk from the master key storage unit 231. The decryption key generation unit 213 calculates a matrix B_(f) as represented in Formula 21. B _(f):=Eval(f,B ^(→) _(x))  [Formula 21]

The Eval algorithm is described in Non Patent Literature 2.

The decryption key generation unit 213 queries to a random oracle, to obtain a matrix r′_(f)=O(A, f)∈{0, 1}^(N). That is, the decryption key generation unit 213 generates the random matrix r′_(f). The decryption key generation unit 213 generates a matrix r_(f) as represented in Formula 22.

$\begin{matrix} {r_{f}\overset{R}{\leftarrow}{A_{\tau}^{- 1}\left( {{{- \left( {B_{0} + B_{f}} \right)}r_{f}^{\prime}} - v} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 22} \right\rbrack \end{matrix}$

Here, τ is as represented in Formula 23. τ=O(m·NL·(N+1)^(d)

)≥τ₀  [Formula 23]

At this time, since the trapdoor A_(τ0) ⁻¹ is an algorithm represented in Formula 17, Formula 24 is established.

$\begin{matrix} {{{\left\lbrack {r_{f}^{T}{{r^{\prime}}_{f}^{T}}1} \right\rbrack\begin{bmatrix} A^{T} \\ {\left( {B_{0} + B_{f}} \right)T} \\ v^{T} \end{bmatrix}} = 0_{n}}\mspace{31mu}} & \left\lbrack {{Formula}\mspace{14mu} 24} \right\rbrack \end{matrix}$

The decryption key generation unit 213 writes the matrix r_(f) into the memory 22, as the decryption key sk_(f).

(Step S24: Output Process)

The output unit 214 of the key generation device 20 outputs the decryption key sk_(f).

Specifically, the output unit 214 reads the decryption key sk_(f) from the memory 22. Then, the output unit 214 transmits the decryption key sk_(f) to the decryption device 50 via the communication interface 24.

(Step S25: Decryption Key Acquisition Process)

The acquisition unit 511 of the decryption device 50 acquires the decryption key sk_(f).

Specifically, the acquisition unit 511 receives the decryption key sk_(f) transmitted by the output unit 214, via the communication interface 54. The acquisition unit 511 writes the received decryption key sk_(f) into the key storage unit 531.

That is, the key generation device 20 executes the KeyGen algorithm represented in Formula 25 to generate the decryption key sk_(f).

$\begin{matrix} {{{KeyGen}\left( {f \in \mathcal{F}} \right)}{{B_{f}\mspace{11mu}\text{:=}\mspace{11mu}{{Eval}\left( {f,{\overset{\rightarrow}{B}}_{x\;}} \right)}},{r_{f}^{\prime} = {{\mathcal{O}\left( {A,f} \right)} \in \left\{ {0,1} \right\}^{N}}},{\rho\overset{U}{\leftarrow}{{{PRF}.{Gen}}\left( {\sigma,f} \right)}},{r_{f}\overset{R}{\leftarrow}{A_{\tau}^{- 1}\left( {{{- \left( {B_{0} + B_{f}} \right)}r_{f}^{\prime}} - v} \right)}},{where}}\;{{\tau = {O\left( {{m \cdot {NL} \cdot \left( {N + 1} \right)_{\mathcal{F}}^{d}} \geq \tau_{0}} \right)}},{{{Note}\mspace{14mu}{{{that}\mspace{14mu}\left\lbrack {r_{f}^{T}{{r^{\prime}}_{f}^{T}}1} \right\rbrack} \cdot \left\lbrack {A^{T}{{\left( {B_{0} + B_{f}} \right)T}}v^{T}} \right\rbrack}} = 0_{n}},{{return}\mspace{14mu}{sk}\mspace{14mu}{{\text{:=}\;\left\lbrack r_{f} \right\rbrack}.}}}} & \left\lbrack {{Formula}\mspace{20mu} 25} \right\rbrack \end{matrix}$

With reference to FIG. 8, the Enc processing according to the first embodiment will be described.

The Enc processing is mainly executed by the encryption device 30 in generating a ciphertext ct. The Enc processing according to the first embodiment corresponds to an encryption method and processing of an encryption program according to the first embodiment.

(Step S31: Acquisition Process)

The acquisition unit 311 of the encryption device 30 acquires a plaintext μ and an attribute x.

Specifically, the acquisition unit 311 accepts the plaintext μ and the attribute x inputted by a user or the like of the encryption device 30, via the communication interface 34. The plaintext μ is a message to be transmitted after being encrypted, and is the plaintext μ∈{0, 1}. The attribute x is an attribute associated with a ciphertext and is an attribute x∈{0, 1}^(L). The acquisition unit 311 writes the plaintext μ and the attribute x into the memory 32.

(Step S32: Encryption Process)

The encryption unit 312 of the encryption device 30 generates the ciphertext ct obtained by encrypting the plaintext μ with the attribute x set.

Specifically, the encryption unit 312 reads the public parameter pp from the public parameter storage unit 331 and reads the plaintext μ and the attribute x from the memory 32. The encryption unit 312 generates a matrix S, a matrix E_(A), and an error vector e_(v) as represented in Formula 26.

$\begin{matrix} {{S\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n \times M}},{E_{A}\overset{R}{\leftarrow}\chi^{m \times M}},{e_{v}\overset{R}{\leftarrow}{\chi^{M}.}}} & \left\lbrack {{Formula}\mspace{14mu} 26} \right\rbrack \end{matrix}$

The encryption unit 312 generates a matrix R_(i,j) for each integer i of i∈{0, 1, . . . , L} and each integer j of j∈[M] as represented in Formula 27.

$\begin{matrix} {R_{i,j}\overset{U}{\leftarrow}\left\{ {0,1} \right\}^{m \times N}} & \left\lbrack {{Formula}\mspace{14mu} 27} \right\rbrack \end{matrix}$

The encryption unit 312 generates a matrix E_(i)[j] for each integer i of i∈{0, 1, . . . , L} and each integer j of j∈[M] as represented in Formula 28. Here, E_(i)[j] and E_(A) [j] represent j-th columns of the matrix E_(i) and the matrix E_(A), respectively. E _(i)[j]:=R _(i,j) ^(T) E _(A)[j]  [Formula 28]

The encryption unit 312 generates a matrix C as represented in Formula 29, and generates a matrix C_(x) as represented in Formula 30.

$\begin{matrix} {{C\mspace{14mu}{{\text{:=}\mspace{11mu}\begin{bmatrix} A^{T} \\ B_{0}^{T} \\ v^{T} \end{bmatrix}} \cdot S}} + \begin{bmatrix} E_{A} \\ E_{0} \\ e_{v}^{T} \end{bmatrix} + {\mu\left( {I_{m + N + 1} \otimes g^{T}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 29} \right\rbrack \\ {C_{x}:={{\left\lbrack {{\overset{\rightarrow}{B}}_{x} - {x\overset{\rightarrow}{G}}} \right\rbrack^{T} \cdot S} + \begin{bmatrix} E_{1} \\ \vdots \\ E_{L} \end{bmatrix}}} & \left\lbrack {{Formula}\mspace{14mu} 30} \right\rbrack \end{matrix}$

The matrix C is set with the plaintext and is configured to be decryptable with the decryption key sk_(f) corresponding to the policy f satisfied by the attribute x.

Here, Formula 31 indicates a tensor product. ⊗  [Formula 31]

Further, Formula 32 holds. {right arrow over (G)}:=I _(m+N+1) ⊗g ^(T)  [Formula 32]

The encryption unit 312 generates a matrix R and a matrix E_(F) as represented in Formula 33.

$\begin{matrix} {{R\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n \times N}},{E_{F}\overset{R}{\leftarrow}\chi^{{({m + N + 1})} \times M}}} & \left\lbrack {{Formula}\mspace{14mu} 33} \right\rbrack \end{matrix}$

The encryption unit 312 generates a matrix F as represented in Formula 34.

$\begin{matrix} {{F\mspace{14mu}{{\text{:=}\begin{bmatrix} A^{T} \\ B^{T} \\ v^{T} \end{bmatrix}} \cdot R}} + E_{F} + {\mu\left( {I_{m + N + 1} \otimes g^{T}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 34} \right\rbrack \end{matrix}$

As represented in Formula 34, the plaintext μ and the matrix R that is a random number are set for the matrix F. The matrix F includes a matrix B instead of a matrix B₀ included in the matrix, and is configured not to be decrypted by the decryption key sk_(f) corresponding to the policy f satisfied by the attribute x.

As represented in Formula 35, the encryption unit 312 generates a matrix E^((k)) _(A), a vector e^((k)) _(v), and a matrix R^((k)) _(i,j) for each integer i of i∈{0, 1, . . . , L}, each integer j of j∈[M], and each integer k of k∈[N].

$\begin{matrix} {{E_{A}^{(k)}\overset{R}{\leftarrow}\chi^{m \times M}},{e_{v}^{(k)}\overset{R}{\leftarrow}\chi^{M}},{R_{i,j}^{(k)}\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{m \times N}}} & \left\lbrack {{Formula}\mspace{14mu} 35} \right\rbrack \end{matrix}$

The encryption unit 312 generates a vector E^((k)) _(i) and a matrix E^((k)) as represented in Formula 36. Here, E^((k)) _(i) [j] and the matrix E^((k)) _(A) [j] represent j-th columns of the matrix E^((k)) _(i) and the matrix E^((k)) _(A), respectively. E _(i) ^((k))[i]:=(R _(i,j) ^((k)))^(T) E _(A) ^((k))[j], E ^((k)):=[(E _(A) ^((k)))^(T)∥(E ₀ ^((k)))^(T) ∥e _(v) ^((k))]^(T)  [Formula 36]

The encryption unit 312 generates matrices S⁽¹⁾, . . . , S^((N)) as represented in Formula 37.

$\begin{matrix} {S^{(1)},\ldots\mspace{14mu},{S^{(N)}\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n \times M}}} & \left\lbrack {{Formula}\mspace{14mu} 37} \right\rbrack \end{matrix}$

The encryption unit 312 generates a matrix D as represented in Formula 38, and generates a matrix D^((k)) _(x) as represented in Formula 39.

$\begin{matrix} \left. {{D\mspace{11mu}\text{:=}\mspace{11mu}{\left( {I_{N} \otimes \begin{bmatrix} A^{T} \\ B_{0}^{T} \\ v^{T} \end{bmatrix}} \right) \cdot \begin{bmatrix} S^{(1)} \\ \vdots \\ S^{(N)} \end{bmatrix}}} + \begin{bmatrix} E^{(1)} \\ \vdots \\ E^{(N)} \end{bmatrix} + {R \otimes g \otimes e_{m + N + 1}}} \right) & \left\lbrack {{Formula}\mspace{14mu} 38} \right\rbrack \\ {\mspace{79mu}{D_{x}^{(k)}:={{\left( {{\overset{\rightarrow}{B}}_{x} - {x\overset{\rightarrow}{G}}} \right) \cdot S^{(k)}} + \begin{bmatrix} E_{1}^{(k)} \\ \vdots \\ E_{L}^{(k)} \end{bmatrix}}}} & \left\lbrack {{Formula}\mspace{14mu} 39} \right\rbrack \end{matrix}$

That is, in the matrix D, the matrix R that is a random number included in the matrix F is encrypted.

The encryption unit 312 writes, into the memory 32, the ciphertext ct having the attribute x, the matrix C, the matrix C_(x), the matrix F, the matrix D, and the matrix D^((k)) _(x) for each integer k of k∈[N], as encryption elements. That is, the ciphertext ct includes: the matrix C that is an encryption element in which the plaintext μ is set; the matrix C_(x) that is an encryption element in which the attribute x is set; the matrix F that is an encryption element not to be decrypted by the decryption key sk_(f) corresponding to the policy f satisfied by the attribute x, and in which the plaintext μ and the matrix R that is a random number are set; and the matrix D that is an encryption element in which the matrix R that is a random number is encrypted.

(Step S33: Output Process)

The output unit 313 of the encryption device 30 outputs the ciphertext ct.

Specifically, the output unit 313 reads the ciphertext ct from the memory 32. Then, the output unit 313 transmits the ciphertext ct to the homomorphic computation device 40 via the communication interface 34.

(Step S34: Ciphertext Acquisition Process)

The ciphertext acquisition unit 416 of the homomorphic computation device 40 receives the ciphertext ct transmitted by the output unit 313, via the communication interface 44. The ciphertext acquisition unit 416 writes the received ciphertext ct into the ciphertext storage unit 432.

That is, the encryption device 30 executes the Enc algorithm represented in Formulas 40 to 41, to generate the ciphertext ct.

$\begin{matrix} {\mspace{79mu}{{{{Enc}\left( {{\mu \in \left\{ {0,1} \right\}},{x \in \left\{ {0,1} \right\}^{L}}} \right)}\mspace{79mu}{{S\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n \times M}},{E_{A}\overset{R}{\leftarrow}\chi^{m \times M}},{e_{v}\overset{R}{\leftarrow}\chi^{M}},{for}}}\text{}\mspace{79mu}{{i \in \left\{ {0,\ldots\mspace{14mu},L} \right\}};{j = \lbrack M\rbrack}}\mspace{79mu}{{R_{i,j}\overset{U}{\leftarrow}\left\{ {0,1} \right\}^{m \times N}},{{E_{i}\lbrack j\rbrack}:={R_{i,j}^{T}{E_{A}\lbrack j\rbrack}}},\mspace{79mu}{{C\mspace{14mu}{{\text{:=}\begin{bmatrix} A^{T} \\ B_{0}^{T} \\ v^{T} \end{bmatrix}} \cdot S}} + \begin{bmatrix} E_{A} \\ E_{0} \\ e_{v}^{T} \end{bmatrix} + {\mu\left( {I_{m + N + 1} \otimes g^{T}} \right)}},\mspace{79mu}{C_{x}:={{\left\lbrack {{\overset{\rightarrow}{B}}_{x} - {x\overset{\rightarrow}{G}}} \right\rbrack^{T} \cdot S} + \begin{bmatrix} E_{1} \\ \vdots \\ E_{L} \end{bmatrix}}},\mspace{79mu}{R\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n \times N}},{E_{F}\overset{R}{\leftarrow}\chi^{{({m + N + 1})} \times M}},{{{F\mspace{14mu}{{\text{:=}\;\begin{bmatrix} A^{T} \\ B^{T} \\ v^{T} \end{bmatrix}} \cdot R}} + E_{F} + {\mu\left( {I_{m + N + 1} \otimes g^{T}} \right)}} \in {\mathbb{Z}}_{q}^{{({m + N + 1})} \times M}},}}} & \left\lbrack {{Formula}\mspace{14mu} 40} \right\rbrack \\ {\mspace{79mu}{{{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},{L;{j = 1}},\ldots\mspace{14mu},{M;{k = 1}},\ldots\mspace{14mu},N}\mspace{79mu}{{E_{A}^{(k)}\overset{R}{\leftarrow}\chi^{m \times M}},{e_{v}^{(k)}\overset{R}{\leftarrow}\chi^{M}},{R_{i,j}^{(k)}\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{m \times N}},{{E_{i}^{(k)}\lbrack j\rbrack}:={\left( R_{i,j}^{(k)} \right)^{T}{E_{A}^{(k)}\lbrack j\rbrack}}},{E^{(k)}:=\left\lbrack {\left( E_{A}^{(k)} \right)^{T}{\left( E_{0}^{(k)} \right)^{T}}e_{v}^{(k)}} \right\rbrack^{T}},\mspace{79mu} S^{(1)},\ldots\mspace{14mu},{S^{(N)}\overset{U}{\leftarrow}{\mathbb{Z}}_{q}^{n \times M}},{{{D\mspace{11mu}\text{:=}\mspace{11mu}{\left( {I_{N} \otimes \begin{bmatrix} A^{T} \\ B_{0}^{T} \\ v^{T} \end{bmatrix}} \right) \cdot \begin{bmatrix} S^{(1)} \\ \vdots \\ S^{(N)} \end{bmatrix}}} + \begin{bmatrix} E^{(1)} \\ \vdots \\ E^{(N)} \end{bmatrix} + {R \otimes g \otimes e_{m + N + 1}}} \in {\mathbb{Z}}_{q}^{{({m + N + 1})}N \times M}},{D_{x}^{(k)}:={{{\left( {{\overset{\rightarrow}{B}}_{x} - {x\overset{\rightarrow}{G}}} \right) \cdot S^{(k)}} + \begin{bmatrix} E_{1}^{(k)} \\ \vdots \\ E_{L}^{(k)} \end{bmatrix}} \in {\mathbb{Z}}_{q}^{{LN} \times M}}}}}\mspace{79mu}{{{return}\mspace{14mu}{ct}}:={\left( {x,C,C_{x},F,D,\left\{ D_{x}^{(k)} \right\}_{k}} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 41} \right\rbrack \end{matrix}$

With reference to FIG. 9, the Eval processing according to the first embodiment will be described.

The Eval processing is executed by the homomorphic computation device 40 in performing homomorphic computation on the ciphertext et. The Eval processing according to the first embodiment corresponds to a homomorphic computation method and processing of a homomorphic computation program according to the first embodiment.

(Step S41: Ciphertext Acquisition Process)

The ciphertext acquisition unit 416 acquires ciphertexts ct⁽¹⁾, . . . , ct^((k)) subject to computation. Here, k is an integer of 1 or more.

Specifically, the ciphertext acquisition unit 416 reads the ciphertexts ct⁽¹⁾, . . . , ct^((k)) specified by a user or the like of the homomorphic computation device 40, via the communication interface 44 from the ciphertext storage unit 432. The ciphertext acquisition unit 416 writes the read ciphertexts ct⁽¹⁾, . . . , ct^((k)) into the memory 42.

(Step S42: Policy Acquisition Process)

The policy acquisition unit 417 of the homomorphic computation device 40 acquires a policy set F:={f₁, . . . , f_(d)}, which is a set of policies. Here, d is an integer of 1 or more.

Specifically, the policy acquisition unit 417 accepts the policy set F inputted by a user or the like of the homomorphic computation device 40, via the communication interface 44. The policy acquisition unit 417 writes the accepted policy set F into the memory 42.

Note that, in order to perform homomorphic computation, a ciphertext ct^((i)) for each integer i of i=1, . . . , k read out in step S41 needs to satisfy any of f₁, . . . , f_(d) included in the policy set F. In other words, it is necessary for the ciphertext ct^((i)) for each integer i of i=1, . . . , k to be decryptable with the decryption key sk_(f) associated with any of f₁, . . . , f_(d). That is, assuming that an attribute that has been set for the ciphertext ct^((i)) for each integer i of i=1, . . . , k is an attribute x_(i), f_(j)(x_(i))=0 needs to be satisfied for a certain j∈[d], for each integer i of i=1, . . . , k.

(Step S43: Computation Acquisition Process)

The computation acquisition unit 418 of the homomorphic computation device 40 acquires homomorphic computation g to be executed.

Specifically, the computation acquisition unit 418 accepts the homomorphic computation g inputted by a user or the like of the homomorphic computation device 40, via the communication interface 44. The computation acquisition unit 418 writes the accepted homomorphic computation g into the memory 42.

(Step S44: Ciphertext Conversion Process)

The ciphertext conversion unit 412 of the homomorphic computation device 40 converts the ciphertext ct^((i)) for each integer i of i=1, . . . , k into a ciphertext ct^((1)˜):=(C^(˜), F^(˜), D^(˜)).

Specifically, the ciphertext conversion unit 412 first executes an Apply algorithm and then executes an Expansion algorithm on the ciphertext ct^((i)) for each integer i of i=1, . . . , k as a target. However, the Apply algorithm is executed only for the ciphertext ct^((i)) that has never been subjected to homomorphic computation. That is, the Apply algorithm is executed in a case where the ciphertext ct^((i)) is generated by the encryption device 30 and is the ciphertext ct outputted in step S33 of FIG. 8, while the Apply algorithm is not executed in a case where the ciphertext ct^((i)) is the ciphertext ct* outputted in step S46 to be described later. In a case where the ciphertext ct^((i)) is the ciphertext ct* outputted in step S46 to be described later, only the Expansion algorithm is executed.

Here, to simplify the expression, the target ciphertext ct^((i)) is written as a ciphertext ct, and the ciphertext ct^((i)˜) obtained by converting the ciphertext ct^((i)) is written as a ciphertext ct^(˜). Further, a policy f_(j) satisfied by the target ciphertext ct^((i)) is written as a policy f.

The Apply algorithm will be described.

The ciphertext conversion unit 412 calculates a matrix H as represented in Formula 42. H:=EvRelation(f,x,{right arrow over (B)} _(x))  [Formula 42]

The EvRelation algorithm is described in Non Patent Literature 2.

The ciphertext conversion unit 412 generates a matrix C_(f):=H^(T)C_(x). The ciphertext conversion unit 412 generates a matrix C_({circumflex over (f)}) as represented in Formula 43.

$\begin{matrix} {C_{\hat{f}}:={C + \begin{bmatrix} 0_{m \times M} \\ C_{f} \\ 0_{1 \times M} \end{bmatrix}}} & \left\lbrack {{Formula}\mspace{14mu} 43} \right\rbrack \end{matrix}$

For each integer i of i∈[k], the ciphertext conversion unit 412 generates a matrix D^((i)) _(f) as represented in Formula 44. D _(f) ^((i)) :=H ^(T) D _(x) ^((i))  [Formula 44]

The ciphertext conversion unit 412 generates a matrix D_(f) as represented in Formula 45. D _(f)[0_(M×m)∥(D _(f) ⁽¹⁾)^(T)⊕0_(M)∥ . . . ∥0_(M×m)∥(D _(f) ^((N)))^(T)∥0_(M)]^(T)  [Formula 45]

The ciphertext conversion unit 412 generates a matrix D{circumflex over ( )}_(f): =D_(f)+D.

That is, the ciphertext conversion unit 412 executes the Apply algorithm represented in Formula 46.

                                 [Formula  46] dMTHABE.ApplyF_(pp)(ct, f ∈ ℱ) ${H:={{EvRelation}\left( {f,x,{\overset{\rightarrow}{B}}_{x}} \right)}},{C_{f}:={H^{T}C_{x}}},{C_{f}^{\bigwedge}:={C + \begin{bmatrix} 0_{m \times M} \\ C_{f} \\ 0_{1 \times M} \end{bmatrix}}},{D_{f}^{(i)}:={{H^{T}D_{x}^{(i)}} \in {\mathbb{Z}}_{q}^{N \times M}}},{D_{f}:=\left\lbrack {0_{M \times m}{\left( D_{f}^{(1)} \right)^{T}}0_{M}{\mspace{11mu}\ldots\mspace{11mu} }0_{M \times m}{\left( D_{f}^{(N)} \right)^{T}}0_{M}} \right\rbrack^{T}},{D_{f}^{\bigwedge}:={D_{f} + D}},{{return}\mspace{14mu} C_{f}^{\bigwedge}},F,{D_{f}^{\bigwedge}.}$

The Expansion algorithm will be described.

Here, when the target ciphertext ct^((i)) is the ciphertext ct*:=(C*, F*, D*) outputted in step S46 to be described later, C{circumflex over ( )}_(f):=C*, F:=F*, and D{circumflex over ( )}_(f):=D* are set.

The ciphertext conversion unit 412 sets the matrix F as a matrix F^(˜) as it is.

The ciphertext conversion unit 412 generates a matrix D^(˜) as represented in Formula 47.

$\begin{matrix} {D^{\sim}:={\left( {I_{N} \otimes \begin{bmatrix} I_{n^{\prime}} \\ 0_{{({m + N + 1})} \times n^{\prime}} \end{bmatrix}} \right) \cdot D_{f}^{\bigwedge}}} & \left\lbrack {{Formula}\mspace{14mu} 47} \right\rbrack \end{matrix}$

The ciphertext conversion unit 412 generates a matrix C^(˜) as represented in Formula 48.

$\begin{matrix} {C^{\sim}:=\begin{bmatrix} C_{f}^{\bigwedge} & X \\ 0 & F^{\bigwedge} \end{bmatrix}} & \left\lbrack {{Formula}\mspace{14mu} 48} \right\rbrack \end{matrix}$

Here, a matrix X is as represented in Formula 49. X:=(s⊗I _(n′))·D _({circumflex over (f)})  [Formula 49]

Further, a matrix s is as represented in Formula 50. s:=(I _(n) ⊗g ^(−T))((B _(f) +B ₀ −B)r′ _(f))∈{0,1}^(N)  [Formula 50]

Note that the vector r′_(f)∈{0, 1}^(N) is a vector obtained by querying f to a random oracle. That is, the vector r′_(f) is a random vector. Further, B_(f) is as represented in Formula 21.

The ciphertext conversion unit 412 writes the ciphertext ct^(˜):=(C^(˜), F^(˜), D^(˜)) into the memory 42.

That is, the ciphertext conversion unit 412 executes the Expansion algorithm represented in Formula 51.

$\begin{matrix} {{{Expansion}\;\left( {C_{f}^{\bigwedge},F,D_{f}^{\bigwedge}} \right)}{{F^{\sim}:=F},{D^{\sim}:={\left( {I_{N} \otimes \begin{bmatrix} I_{n^{\prime}} \\ 0_{{({m + N + 1})} \times n^{\prime}} \end{bmatrix}} \right) \cdot D_{f}^{\bigwedge}}},{r_{f}^{\prime} \in \left\{ {0,1} \right\}^{N}},{B_{f}:={{Eval}\left( {{\overset{\rightarrow}{B}}_{x},f} \right)}},{s:={{\left( {I_{n} \otimes g^{- T}} \right)\left( {\left( {B_{f} - B} \right)r_{f}^{\prime}} \right)} \in \left\{ {0,1} \right\}^{N}}},{X:={\left( {s \otimes I_{n^{\prime}}} \right) \cdot D_{f}^{\bigwedge}}},{C^{\sim}:=\begin{bmatrix} C_{f}^{\bigwedge} & X \\ 0 & F^{\bigwedge} \end{bmatrix}}}{{{return}\mspace{14mu} C^{\sim}},F^{\sim},{D^{\sim}.}}} & \left\lbrack {{Formula}\mspace{14mu} 51} \right\rbrack \end{matrix}$

(Step S45: Homomorphic Computation Process)

The homomorphic computation unit 413 of the homomorphic computation device 40 executes the homomorphic computation g on the ciphertext ct^((i)˜) for each integer i of i=1, . . . , k, to generate the ciphertext ct*:=(C*, F*, D*).

Specifically, the homomorphic computation unit 413 reads the ciphertext ct^((i)˜) for each integer i of i=1, . . . k. Then, with the ciphertext ct^((i)˜) for each integer i of i=1, . . . , k as an input, the homomorphic computation unit 413 executes the homomorphic computation g in accordance with the homomorphic computation method described in “3.2 Homomorphic Operations” of Non Patent Literature 3, to generate the ciphertext ct*. The homomorphic computation unit 413 writes the generated ciphertext ct* into the memory 42.

As a specific example, a case of performing homomorphic addition on two ciphertexts ct^((1)˜):=(C₁, F₁, D₁) and ct^((2)˜):=(C₂, F₂, D₂) will be described. In this case, the homomorphic computation unit 413 calculates each encryption element such as C*:=C₁+C₂, F*:=F₁+F₂, and D*:=D₁+D₂.

Further, as a specific example, a case of performing homomorphic multiplication on two ciphertexts ct^((1)˜):=(C₁, F₁, D₁) and ct^((2)˜):=(C₂, F₂, D₂) will be described. In this case, the homomorphic computation unit 413 calculates each encryption element as represented in Formula 52. C*:=C ₁·(I _(n′) ⊗g ^(−T))(C ₂), F*:=F ₁·(I _(m+N+1) ⊗g ^(−T))(F ₂), D*:=D ₁·(I _(m+N+1) ⊗g ^(−T))(F ₂)+(I _(N) ⊗C ₁)·(I _(n′N) ⊗g ^(−T))(D ₂)  [Formula 52]

(Step S46: Output Process)

The output unit 414 of the homomorphic computation device 40 outputs the ciphertext ct*.

Specifically, the output unit 414 reads the ciphertext ct* from the memory 42. Then, the output unit 414 writes the ciphertext ct* into the ciphertext storage unit 432.

That is, the homomorphic computation device 40 executes the Evaluation algorithm represented in Formula 53 to generate the ciphertext ct*.

$\begin{matrix} {{{Evaluation}{\;\;}\left( {{ct}^{(1)},\ldots\mspace{14mu},{ct}^{(k)},f_{1},\ldots\mspace{14mu},{f_{d} \in \mathcal{F}},{g \in \mathcal{G}}} \right)}\mspace{79mu}{{{j \in {\lbrack d\rbrack\mspace{11mu}{satisfy}\mspace{11mu}{f_{j}\left( x_{i} \right)}}} = {{0\mspace{14mu}{for}\mspace{14mu} i} \in \lbrack k\rbrack}},\mspace{79mu}{\left( {{C_{f_{j},i,}^{\bigwedge}F_{f_{j},i}},D_{f_{j},i}^{\bigwedge}} \right):={{{{Apply}\left( {{ct}^{(i)},f_{j}} \right)}\mspace{14mu}{for}\mspace{14mu} i} \in \lbrack k\rbrack}},\;\mspace{79mu}{\left( {C_{f_{j},i}^{\sim},F_{f_{j},i}^{\sim},D_{f_{j},i}^{\sim}} \right):={{Expansion}\mspace{11mu}\left( {C_{f_{j},i}^{\bigwedge},F_{f_{j},i},D_{f_{j},i}^{\bigwedge}} \right)}},\mspace{79mu}{\left( {C^{*},F^{*},D^{*}} \right):={H.{{Op}\left( \left\{ {C_{f_{j},i}^{\sim},F_{f_{j},i}^{\sim},D_{f_{j},i}^{\sim}} \right\}_{i \in {\lbrack k\rbrack}} \right)}}},\mspace{79mu}{{{return}\mspace{14mu}{ct}^{*}}:={\left\lbrack {C^{*},F^{*},D^{*}} \right\rbrack.}}}} & \left\lbrack {{Formula}\mspace{14mu} 53} \right\rbrack \end{matrix}$

Note that the H.Op algorithm is a computation algorithm of homomorphic computation described in Non Patent Literature 3.

With reference to FIG. 10, the Dec processing according to the first embodiment will be described.

The Dec processing is mainly executed by the decryption device 50 in decrypting the ciphertext ct. The Dec processing according to the first embodiment corresponds to a decryption method and processing of a decryption program according to the first embodiment.

(Step S51: Acquisition Process)

The acquisition unit 511 of the decryption device 50 acquires a ciphertext ct^((F)):=(C{circumflex over ( )}_(F), F, D{circumflex over ( )}_(F)) to be decrypted.

Specifically, the acquisition unit 511 transmits an acquisition request for the ciphertext ct^((F)) to the homomorphic computation device 40 via the communication interface 54. Upon receiving the acquisition request, the output unit 414 of the homomorphic computation device 40 reads the requested ciphertext ct^((F)) from the ciphertext storage unit 432. At this time, in a case where the ciphertext ct^((F)) is the ciphertext et outputted in step S33 of FIG. 8, the ciphertext conversion unit 412 of the homomorphic computation device 40 executes the above-described Apply algorithm to convert the ciphertext ct into ciphertext ct^((F)):=(C{circumflex over ( )}_(F), F, D{circumflex over ( )}_(F)). Further, in a case where the ciphertext ct^((F)) is the ciphertext ct*:=(C*, F*, D*) outputted in step S46 of FIG. 9, the ciphertext conversion unit 412 of the homomorphic computation device 40 converts into the ciphertext ct^((F)):=(C{circumflex over ( )}_(f):=C*, F: =F*, D{circumflex over ( )}_(f):=D*). Then, the output unit 414 transmits the converted ciphertext ct^((F)) to the decryption device 50 via the communication interface 44. The acquisition unit 511 receives the ciphertext ct^((F)) transmitted from the homomorphic computation device 40. The acquisition unit 511 writes the received ciphertext ct^((F)) into the memory 52.

The ciphertext ct^((F)) means that it is a ciphertext that can be decrypted by the decryption keys sk_(f1), . . . , sk_(fd) associated with the policy set F:={f₁, . . . , f_(d)}.

(Step S52: Decryption Process)

The decryption unit 512 of decryption device 50 decrypts the ciphertext ct^((F)) with decryption key sk_(f1):=r_(f1), . . . , sk_(fd):=r_(fd), to calculate a value μ^(˜).

Specifically, the decryption unit 512 acquires a matrix r′_(fj):=O(A, f_(j)) by querying to a random oracle for each integer j of j∈[d]. The decryption unit 512 concatenates the decryption key sk_(fj) for each integer j of j∈[d] as represented in Formula 54, to generate a decryption key r_(F) ^(T). r _(F) ^(T):=[r _(f1) ^(T) ∥r′ _(f1) ^(T)∥1∥ . . . ∥r _(fd) ^(T) ∥r′ _(fd) ^(T)∥1]  [Formula 54]

The decryption unit 512 calculates a vector c as represented in Formula 55. c:=r _(F) ^(T) C _({circumflex over (F)})  [Formula 54]

The decryption unit 512 calculates the value μ^(˜) as represented in Formula 56. {tilde over (μ)}:=c ^(T)·(I _(d(m+N+1)) ⊗g ^(−T))(u)  [Formula 56]

Here, the vector u is as represented in Formula 57. u ^(T):=(0, . . . ,0,└q/2┘)∈

^(1×d(m+N+1))  [Formula 57]

(Step S53: Output Process)

The output unit 513 of the decryption device 50 outputs 0 when an absolute value of the value μ^(˜) is less than q/4, or otherwise outputs 1.

That is, the decryption device 50 executes a Dec algorithm represented in Formula 58, to decrypt the ciphertext ct^((F)). Dec(ct ^((F)):=(C _({circumflex over (F)}) ,F,D _({circumflex over (F)})),sk _(f1) , . . . ,sk _(fd)) r′ _(fj) :=O(A,f _(j))for j=1, . . . ,d, r _(F) ^(T):=[r _(f1) ^(T) ∥r′ _(f1) ^(T)∥1∥ . . . ∥r _(fd) ^(T) ∥r′ _(fd) ^(T)∥1], c:=r _(F) ^(T) C _({circumflex over (F)}), u ^(T):=(0, . . . ,0,└q/2┘)∈

^(1×d(m+N+1)), {tilde over (μ)}:=c ^(T)·(I _(d(m+N+1)) ⊗g ^(−T))(u)  [Formula 58]

return if |{tilde over (μ)}|<q/4 then 0, otherwise 1.

***Effect of First Embodiment***

As described above, in the encryption system 10 according to the first embodiment, the matrix C that is an encryption element is converted into the matrix C^(˜) that is an encryption element, by using the encryption element F. This makes it possible to perform homomorphic computation without associating an element in the encryption element C with the policy set F. Therefore, it becomes possible to perform flexible homomorphic computation again by using the ciphertext ct* as an input.

The reason why the effect of enabling flexible homomorphic computation again with the ciphertext ct* as an input is obtained will be described.

Suppose that a ciphertext ct^((f)):=(C{circumflex over ( )}_(f), F, D{circumflex over ( )}_(f)) is obtained as a result of execution of the Apply algorithm described in step S44 of FIG. 9 with the ciphertext ct:=(x, C, C_(x), F, D, {D^((k)) _(x)}_(k)) generated by the encryption device 30 as an input.

At this time, the ciphertext ct^((f)) satisfies relationships (1) to (3) represented in Formula 59 for a decryption key t∈Z_(q) ^(m+N+1) and a small random matrix R∈Z_(q) ^(n×M).

$\begin{matrix} {{(1)\mspace{14mu}{tC}_{f}^{\bigwedge}} \approx {\mu\left( {t \otimes g^{T}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 59} \right\rbrack \\ {{(2)\mspace{14mu} F} \approx {{\begin{bmatrix} A^{T} \\ B^{T} \\ v^{T} \end{bmatrix} \cdot R} + {\mu\left( {I_{m + N + 1} \otimes g^{T}} \right)}}} & \; \\ {{(3)\mspace{14mu}{\left( {I_{N} \otimes t_{f}} \right) \cdot D_{f}^{\bigwedge}}} = {R \otimes g}} & \; \end{matrix}$

Suppose that the ciphertext ct^(˜):=(C^(˜), F^(˜), D^(˜)) is obtained as a result of execution of the Expansion algorithm described in step S44 of FIG. 9 with the ciphertext ct^((f)) as an input. At this time, the ciphertext ct^(˜) is held in a state of satisfying the relationships (1) to (3) represented in Formula 59, as will be described later, for a decryption key t^(˜):=[t∥t_(f)] obtained by concatenating a decryption key t_(f) with the decryption key t, and for a random matrix R^(˜).

The matrix F becomes the matrix F^(˜) as it is. Therefore, the random matrix R becomes the random matrix R^(˜) as it is. Therefore, the relationship represented in (2) of Formula 59 is satisfied.

The matrix ID^(˜) is generated as represented in Formula 47. At this time, the relationship represented in Formula 60 is established.

$\begin{matrix} \begin{matrix} {{\left( {I_{N} \otimes {\overset{\sim}{t}}^{T}} \right) \cdot D^{\sim}} = {\left( {I_{N} \otimes t^{T}} \right) \cdot D_{f}^{\bigwedge}}} \\ {= {R \otimes g}} \end{matrix} & \left\lbrack {{Formula}\mspace{14mu} 60} \right\rbrack \end{matrix}$

Therefore, the relationship of (3) of Formula 59 is satisfied.

The matrix C^(˜) is generated as represented in Formula 48. At this time, with a configuration of the matrix X, the relationship of Formula 61 is established.

$\begin{matrix} \begin{matrix} {{t^{T}X} = {t^{T} \cdot \left( {s^{T} \otimes I_{n^{\prime}}} \right) \cdot D_{f}^{\bigwedge}}} \\ {= {\left( {s^{T} \otimes 1} \right) \cdot \left( {I_{N} \otimes t^{T}} \right) \cdot D_{f}^{\bigwedge}}} \\ {{\approx s^{T}}{\cdot {R \otimes g}}} \\ {= {{s^{T} \cdot \left( {I_{n} \otimes g} \right)}\;\left( {R \otimes 1} \right)}} \\ {= {r_{f}^{\prime\; T} \cdot \left( {B_{f}^{T} - B^{T}} \right) \cdot R}} \end{matrix} & \left\lbrack {{Formula}\mspace{14mu} 61} \right\rbrack \end{matrix}$

Therefore, the relationship of Formula 62 is established.

$\begin{matrix} {{{{t^{T}X} + {t_{f}F}} \approx {{r_{f}^{\prime\; T} \cdot \left( {B_{f}^{T} - B^{T}} \right) \cdot R} + {{\left\lbrack {r_{f}^{T}{r_{f}^{\prime\; T}}1} \right\rbrack\begin{bmatrix} A^{T} \\ B^{T} \\ v^{T} \end{bmatrix}} \cdot R} + {\mu\left( {t_{f}^{T} \otimes g^{T}} \right)}}} = {{{{\left\lbrack {r_{f}^{T}{r_{f}^{\prime\; T}}1} \right\rbrack\begin{bmatrix} A^{T} \\ B_{f}^{T} \\ v^{T} \end{bmatrix}} \cdot R} + {\mu\left( {t_{f}^{T} \otimes g^{T}} \right)}} = {\mu\left( {t_{f}^{T} \otimes g^{T}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 62} \right\rbrack \end{matrix}$

As a result, the relationship of Formula 63 is established, and the relationship of (1) of Formula 59 is satisfied. {tilde over (t)} ^(T) C{circumflex over ( )}≈μ({tilde over (t)} ^(T) ⊗g ^(T))  [Formula 63]

Suppose that the ciphertext ct*:=(C*, F*, D*) is obtained as a result of execution of the homomorphic computation g described in step S45 of FIG. 9 with the ciphertext ct^(˜) as an input. At this time, as described in Non Patent Literature 3, the ciphertext ct* is also held in a state of satisfying the relationships (1) to (3) represented in Formula 59.

That is, the ciphertext ct* obtained as a result of execution of the homomorphic computation g holds the relationship satisfied by the ciphertext ct^((f)) obtained as a result of execution of the Apply algorithm with the ciphertext ct generated by the encryption device 30 as an input. Therefore, a state of satisfying this relationship can be obtained even when the Expansion algorithm is executed with the ciphertext ct* obtained as a result of execution of the homomorphic computation g as an input, instead of the ciphertext ct generated by the encryption device 30. As a result, flexible homomorphic computation can also be performed for the ciphertext ct* obtained as a result of execution of the homomorphic computation g, similarly to the ciphertext ct generated by the encryption device 30.

That is, in step S44 of FIG. 9, with the matrix F that is an encryption element and the matrix D that is an encryption element, the ciphertext conversion unit 412 converts the matrix C and the matrix C_(x) that are encryption elements included in the ciphertext ct acquired by the ciphertext acquisition unit 416, into the matrix C^(˜) that is an encryption element decryptable with the decryption key sk_(F) corresponding to the policy set F acquired by the policy acquisition unit 417. In addition, the ciphertext conversion unit 412 also converts the matrix D to the matrix D^(˜). As a result, the ciphertext conversion unit 412 converts the ciphertext ct into the ciphertext ct^(˜).

That is, the ciphertext conversion unit 412 converts the matrix C that is an encryption element in which the plaintext μ is set, and the matrix C_(x) that is an encryption element in which the attribute x is set, by using the matrix F that is an encryption element not to be decrypted with the decryption key sk_(f) corresponding to the policy f satisfied by the attribute x and in which the plaintext μ and the matrix R that is a random number are set, and using the matrix D that is an encryption element in which the matrix R that is a random number is encrypted. In this way, by using the matrix F and the matrix D, the ciphertext conversion unit 412 makes it possible to perform the homomorphic computation while maintaining the relationship established between the ciphertext, and the decryption key and a random number R.

***Other Configuration***

<Modification 1>

In the first embodiment, the functional components of the key generation device 20, the encryption device 30, the homomorphic computation device 40, and the decryption device 50 are realized by software. However, as Modification 1, the functional components may be realized by hardware. With regard to Modification 1, points different from the first embodiment will be described.

With reference to FIG. 11, a configuration of a key generation device 20 according to Modification 1 will be described.

In a case where a function is realized by hardware, the key generation device 20 includes a processing circuit 25, instead of the processor 21, the memory 22, and the storage 23. The processing circuit 25 is a dedicated electronic circuit to realize functional components of the key generation device 20 and functions of the memory 22 and the storage 23.

With reference to FIG. 12, a configuration of an encryption device 30 according to Modification 1 will be described.

In a case where a function is realized by hardware, the encryption device 30 includes a processing circuit 35, instead of the processor 31, the memory 32, and the storage 33. The processing circuit 35 is a dedicated electronic circuit to realize functional components of the encryption device 30 and functions of the memory 32 and the storage 33.

Referring to FIG. 13, a configuration of a homomorphic computation device 40 according to Modification 1 will be described.

In a case where a function is realized by hardware, the homomorphic computation device 40 includes a processing circuit 45, instead of the processor 41, the memory 42, and the storage 43. The processing circuit 45 is a dedicated electronic circuit to realize functional components of the homomorphic computation device 40 and functions of the memory 42 and the storage 43.

With reference to FIG. 14, a configuration of a decryption device 50 according to Modification 1 will be described.

In a case where a function is realized by hardware, the decryption device 50 includes a processing circuit 55, instead of the processor 51, the memory 52, and the storage 53. The processing circuit 55 is a dedicated electronic circuit to realize functional components of the decryption device 50 and functions of the memory 52 and the storage 53.

For the processing circuits 25, 35, 45, and 55, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a gate array (GA), an application specific integrated circuit (ASIC), or a field-programmable gate array (FPGA) is assumed.

A function of each functional component of the key generation device 20 may be realized by one processing circuit 25, or a function of each functional component may be distributed to a plurality of processing circuits 25, to be realized. Similarly, for each of the encryption device 30, the homomorphic computation device 40, and the decryption device 50, a function of each functional component may be realized by one processing circuit 35, 45, or 55, or a function of each functional component may be distributed to a plurality of processing circuits 35, 45, or 55, to be realized.

<Modification 2>

In Modification 2, some function may be realized by hardware, and other function may be realized by software. That is, in each functional component, some function may be realized by hardware, and other function may be realized by software.

The processors 21, 31, 41, and 51, the memories 22, 32, 42, and 52, the storages 23, 33, 43, and 53, and the processing circuits 25, 35, 45, and 55 are collectively referred to as “processing circuitry”. That is, a function of each functional component is realized by the processing circuitry.

***Description of Notation***

When A is a random variable value or distribution, Formula 64 represents random selection of y from A in accordance with distribution of A. That is, in Formula 64, y is a random number.

$\begin{matrix} {y\overset{R}{\leftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 64} \right\rbrack \end{matrix}$

When A is a set, Formula 65 represents uniform selection of y from A. That is, in Formula 65, y is a uniform random number.

$\begin{matrix} {y\overset{U}{\leftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 65} \right\rbrack \end{matrix}$

Formula 66 represents that y is a set defined by z, or that y is a set into which z is assigned. y:=z  [Formula 66]

When a is a constant, Formula 67 represents that a machine (algorithm) A outputs a for an input x. A(x)→a  [Formula 67]

Z_(q) represents a group of integers of an order q. Further, y∈Z_(q) ^(v) indicates that y is a vector with v elements on Z_(q). Further, y∈Z_(q) ^(v×w) indicates that y is a matrix of v rows and w columns with elements on Z_(q).

REFERENCE SIGNS LIST

10: encryption system, 20: key generation device, 21: processor, 22: memory, 23: storage, 24: communication interface, 25: processing circuit, 211: acquisition unit, 212: master key generation unit, 213: decryption key generation unit, 214: output unit, 231: master key storage unit, 30: encryption device, 31: processor, 32: memory, 33: storage, 34: communication interface, 35: processing circuit, 311: acquisition unit, 312: encryption unit, 313: output unit, 331: public parameter storage unit, 40: homomorphic computation device, 41: processor, 42: memory, 43: storage, 44: communication interface, 45: processing circuit, 411: acquisition unit, 412: ciphertext conversion unit, 413: homomorphic computation unit, 414: output unit, 415: public parameter acquisition unit, 416: ciphertext acquisition unit, 417: policy acquisition unit, 418: computation acquisition unit, 431: public parameter storage unit, 432: ciphertext storage unit, 50: decryption device, 51: processor, 52: memory, 53: storage, 54: communication interface, 55: processing circuit, 511: acquisition unit, 512: decryption unit, 513: output unit, 531: key storage unit, 532: condition storage unit, 533: result storage unit, λ: security parameter, pp: public parameter, msk: master secret key, sk_(f): decryption key, μ: plaintext, x: attribute, ct, ct^((F)), ct^(˜), ct*: ciphertext, F: policy set, g: homomorphic computation. 

The invention claimed is:
 1. A homomorphic computation device comprising: processing circuitry to: acquire a ciphertext ct including an encryption element C in which a plaintext μ is encrypted, the encryption element C being decryptable by a decryption key sk_(f) corresponding to a policy f satisfied by the attribute x, an encryption element C_(x) created using an attribute x, and an encryption element F in which the plaintext μ is encrypted, the encryption element F only being decryptable by a different key than the decryption key skf corresponding to the policy f satisfied by the attribute x, the different key corresponding to a policy, which is different than the policy f, and which is satisfied by an attribute different than the attribute x; acquire a policy set F that is a set of policies including the policy f and the policy different than the policy f; convert the ciphertext ct into a ciphertext ct˜ by converting, with the encryption element F, the encryption element Cx included in the acquired ciphertext ct, into an encryption element C˜ that can be decrypted with a decryption key skF corresponding to the acquired policy set F; and perform homomorphic computation g on the converted ciphertext ct˜, to generate a ciphertext ct*.
 2. The homomorphic computation device according to claim 1, wherein a random number R is used to create the encryption element F, the ciphertext ct includes an encryption element D in which the random number R is encrypted, and the processing circuitry converts the encryption element C into the encryption element C^(˜) with the encryption element F and the encryption element D.
 3. The homomorphic computation device according to claim 2, wherein the ciphertext ct includes the encryption element C represented in Formula 1, the encryption element C_(x) represented in Formula 2, the encryption element F represented in Formula 3, and the encryption element D represented in Formula 4 $\begin{matrix} {\;{C:={{\begin{bmatrix} A^{T} \\ B_{0}^{T} \\ v^{T} \end{bmatrix} \cdot S} + \begin{bmatrix} E_{A} \\ E_{0} \\ e_{v}^{T} \end{bmatrix} + {\mu\left( {I_{m + N + 1} \otimes g^{T}} \right)}}}} & \left\lbrack {{Formula}\mspace{14mu} 1} \right\rbrack \end{matrix}$ where superscript T designates transpose, A∈Z_(q) ^(n×m), with Z_(q) representing a group of integers of order q, and A being a matrix of n rows and m columns on Z_(q), where n and q are parameters in learning with errors (LWE) problem, ${B_{0}\overset{U}{\leftarrow}Z_{q}^{n \times N}},$ with B₀ representing a matrix with n rows and N columns of uniform random numbers uniformly selected from the set Z_(q), ${v\overset{U}{\leftarrow}Z_{q}^{n}},$ with v representing a vector of n uniform random numbers uniformly selected from the set Z_(q), ${S\overset{U}{\leftarrow}Z_{q}^{n \times M}},$ with S representing a matrix with n rows and M columns of uniform random numbers uniformly selected from the set Z_(q), ${E_{A}\overset{R}{\leftarrow}\chi^{m \times M}},$ with E_(A) representing a matrix of m rows and M columns randomly selected in accordance with a distribution of χ, where χ is a parameter of LWE problem, E ₀:=[E ₀[1], . . . ,E ₀[M]], E ₀[j]:=R _(0,j) ^(T) E _(A)[j] for j=1, . . . ,M, $R_{0,j}\overset{U}{\leftarrow}\left\{ {0,1} \right\}^{m \times N}$ for j=1, . . . , M, with R_(0,j) representing, for each integer j, a matrix with m rows and N columns of uniform random numbers uniformly selected from the set {0,1}, ${e_{v}\overset{R}{\leftarrow}\chi^{M}},$ with e_(v) representing a vector of M numbers randomly selected in accordance with the distribution of χ, where χ is a parameter of LWE problem, μ: plaintext, I_(m+N+1): unit matrix of m+N+1 rows and m+N+1 columns, m,N,M∈Z, g ^(T):=(1,2, . . . ,2^(┌log q┐)) $\begin{matrix} {C_{x}:={{\left\lbrack {{\overset{\rightarrow}{B}}_{x} - {x\overset{\rightarrow}{G}}} \right\rbrack^{T} \cdot S} + \begin{bmatrix} E_{1} \\ \vdots \\ E_{L} \end{bmatrix}}} & \left\lbrack {{Formula}\mspace{14mu} 2} \right\rbrack \end{matrix}$ where {right arrow over (B)} _(x):=[B ₁ , . . . ,B _(L)], $B_{1},\ldots\mspace{14mu},{B_{L}\overset{U}{\leftarrow}Z_{q}^{n \times N}},$ x: attribute, {right arrow over (G)}:=I _(m+N+1) ⊗g ^(T), E _(i):=[E _(i)[1], . . . ,E _(i)[M]] for i=1, . . . ,L, E _(i)[j]:=R _(i,j) ^(T) E _(A)[j] for i=1, . . . ,L;j=1, . . . ,M, $R_{i,j}\overset{U}{\leftarrow}\left\{ {0,1} \right\}^{m \times N}$ for i=1, . . . , L; j=1, . . . , M $\begin{matrix} {F:={{\begin{bmatrix} A^{T} \\ B^{T} \\ v^{T} \end{bmatrix} \cdot R} + E_{F} + {\mu\left( {I_{m + N + 1} \otimes g^{T}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 3} \right\rbrack \end{matrix}$ wherein ${B\overset{U}{\leftarrow}Z_{q}^{n \times N}},{R\overset{U}{\leftarrow}Z_{q}^{n \times N}},{E_{F}\overset{R}{\leftarrow}\chi^{{({m + N + 1})} \times M}},$ χ: parameter of learning with errors (LWE) problem, $\begin{matrix} \left. {D:={{\left( {I_{N} \otimes \begin{bmatrix} A^{T} \\ B_{0}^{T} \\ v^{T} \end{bmatrix}} \right) \cdot \begin{bmatrix} S^{(1)} \\ \vdots \\ S^{(N)} \end{bmatrix}} + \begin{bmatrix} E^{(1)} \\ \vdots \\ E^{(N)} \end{bmatrix} + {R \otimes g \otimes e_{m + N + 1}}}} \right) & \left\lbrack {{Formula}\mspace{14mu} 4} \right\rbrack \end{matrix}$ where $S^{(1)},\ldots\mspace{14mu},{S^{(N)}\overset{U}{\leftarrow}Z_{q}^{n \times M}},$ E ^((k)):=[(E _(A) ^((k)))^(T)∥(E ₀ ^((k)))^(T) ∥e _(v) ^((k))]^(T) for k=1, . . . ,N, $E_{A}^{(k)}\overset{R}{\leftarrow}\chi^{m \times M}$ for k=1, . . . , N, with E^((k)) _(A) representing, for each integer k, a matrix of m rows and M columns randomly selected in accordance with a distribution of χ, where χ is a parameter of LWE problem, E ₀ ^((k)):=[E ₀ ^((k))[1], . . . ,E ₀ ^((k))[M]] for k=1, . . . ,N, E ₀ ^((k))[j]:=(R _(0,j) ^((k)))^(T) E _(A) ^((k))[j] for j=1, . . . ,M;k=1, . . . ,N, ${v\overset{U}{\leftarrow}Z_{q}^{n}},$ with v representing a vector of n uniform random numbers uniformly selected from the set Z_(q), $e_{v}^{(k)}\overset{R}{\leftarrow}\chi^{M}$ for k=1, . . . , N, with e^((k)) _(v) representing, for each integer k, a vector of M numbers randomly selected in accordance with the distribution of χ, where χ is a parameter of LWE problem, $R_{0,j}^{(k)}\overset{U}{\leftarrow}Z_{q}^{m \times N}$ for j=1, . . . , M, with R^((k)) _(0,j) representing, for each integer j, a matrix with m rows and N columns of uniform random numbers uniformly selected from the set Z_(q), e_(m+N+1): vector in which (m+N+1)-th element is 1 and other elements are
 0. 4. The homomorphic computation device according to claim 3, wherein the processing circuitry converts the encryption element C into an encryption element C{circumflex over ( )}_(f) as represented in Formula 5, and converts the encryption element C{circumflex over ( )}_(f) into the encryption element C^(˜) as represented in Formula 6 $\begin{matrix} {\;{C_{f}^{\bigwedge}:={C + \begin{bmatrix} 0_{m \times M} \\ C_{f} \\ 0_{1 \times M} \end{bmatrix}}}} & \left\lbrack {{Formula}\mspace{14mu} 5} \right\rbrack \end{matrix}$ where C _(f) :=H ^(T) C _(x), H:=EvRelation(f,x,{right arrow over (B)} _(x)) $\begin{matrix} {C^{\sim}:=\begin{bmatrix} C_{f}^{⩓} & X \\ 0 & F \end{bmatrix}} & \left\lbrack {{Formula}\mspace{14mu} 6} \right\rbrack \end{matrix}$ where X:=(s⊗I _(n′))·D _({circumflex over (f)}), s:=(I _(n) ⊗g ^(−T))((B _(f) −B)r′ _(f)), I_(n): unit matrix of n rows and n columns, D _({circumflex over (f)}) :=D _(f) +D, D _(f):=[0_(M×m)∥(D _(f) ⁽¹⁾)^(T)∥0_(M)∥ . . . ∥0_(M×m)∥(D _(f) ^((N)))^(T)∥0_(M)]^(T), E _(i) ^((k)):=[E _(i) ^((k))[1], . . . ,E _(i) ^((k))[M]] for i=1, . . . ,L;k=1, . . . ,N, E _(i) ^((k))[j]:=(R _(i,j) ^((k)))^(T) E _(A) ^((k))[j] for i=1, . . . ,L;j=1, . . . ,M;k=1, . . . ,N, $R_{i,j}^{(k)}\overset{U}{\leftarrow}Z_{q}^{m \times N}$ for j=1, . . . , L; j=1 . . . , M D _(f) ^((i)) :=H ^(T) D _(x) ^((i))for i=1, . . . ,k, $D_{x}^{(k)}:={{\left( {{\overset{\rightarrow}{B}}_{x} - {x\overset{\rightarrow}{G}}} \right) \cdot S^{(k)}} + \begin{bmatrix} E_{1}^{(k)} \\ \vdots \\ E_{L}^{(k)} \end{bmatrix}}$ B _(f):=Eval(f,{right arrow over (B)} _(x)), r′ _(f)∈{0,1}^(N).
 5. The homomorphic computation device according to claim 4, wherein the processing circuitry performs the homomorphic computation g on the encryption element C^(˜) to generate an encryption element C*, performs the homomorphic computation g on the encryption element F to generate an encryption element F*, performs the homomorphic computation g on an encryption element D^(˜) obtained by converting the encryption element D to generate an encryption element D*, and generates the ciphertext ct* including the encryption element C*, the encryption element F*, and the encryption element D*.
 6. The homomorphic computation device according to claim 5, wherein the processing circuitry converts the encryption element D into the encryption element D^(˜) as represented in Formula 7 $\begin{matrix} {D^{\sim}:={\left( {I_{N} \otimes \begin{bmatrix} I_{n^{\prime}} \\ 0_{{({m + N + 1})} \times n^{\prime}} \end{bmatrix}} \right) \cdot D_{f}^{\bigwedge}}} & \left\lbrack {{Formula}\mspace{14mu} 7} \right\rbrack \end{matrix}$ where 0_((m+N+1)×n′) is a zero matrix of m+N+1 rows and n′ columns, I_(N): unit matrix of N rows and N columns, I_(n′): unit matrix of n′ rows and n′ columns I_(N): unit matrix of N rows and N columns.
 7. The homomorphic computation device according to claim 3, wherein the processing circuitry performs the homomorphic computation g on the encryption element C^(˜) to generate an encryption element C*, performs the homomorphic computation g on the encryption element F to generate an encryption element F*, performs the homomorphic computation g on an encryption element D^(˜) obtained by converting the encryption element D to generate an encryption element D*, and generates the ciphertext ct* including the encryption element C*, the encryption element F*, and the encryption element D*.
 8. The homomorphic computation device according to claim 7, wherein the processing circuitry converts the encryption element D into the encryption element D^(˜) as represented in Formula 7 $\begin{matrix} {D^{\sim}:={\left( {I_{N} \otimes \begin{bmatrix} I_{n^{\prime}} \\ 0_{{({m + N + 1})} \times n^{\prime}} \end{bmatrix}} \right) \cdot D_{f}^{\bigwedge}}} & \left\lbrack {{Formula}\mspace{14mu} 7} \right\rbrack \end{matrix}$ where 0_((m+N+1)×n′) is a zero matrix of m+N+1 rows and n′ columns, D _({circumflex over (f)}) :=D _(f) +D, D _(f):=[0_(M×m)∥(D _(f) ⁽¹⁾)^(T)∥0_(M)∥ . . . ∥0_(M×m)∥(D _(f) ^((N)))^(T)∥0_(M)]^(T), D _(f) ^((i)) :=H ^(T) D _(x) ^((i))for i=1, . . . ,k, E _(i) ^((k)):=[E _(i) ^((k))[1], . . . ,E _(i) ^((k))[M]] for i=1, . . . ,L;k=1, . . . ,N, E _(i) ^((k))[j]:=(R _(i,j) ^((k)))^(T) E _(A) ^((k))[j] for i=1, . . . ,L;j=1, . . . ,M;k=1, . . . ,N, $R_{i,j}^{(k)}\overset{U}{\leftarrow}Z_{q}^{m \times N}$ for i=1, . . . , L; j=1, . . . , M D _(f) ^((i)) :=H ^(T) D _(x) ^((i))for i=1, . . . ,k, ${D_{x}^{(k)}:={{\left( {{\overset{\rightarrow}{B}}_{x} - {x\overset{\rightarrow}{G}}} \right) \cdot S^{(k)}} + \begin{bmatrix} E_{1}^{(k)} \\ \vdots \\ E_{L}^{(k)} \end{bmatrix}}},$ I_(N): unit matrix of N rows and N columns, I_(n′): unit matrix of n′ rows and n′ columns I_(N): unit matrix of N rows and N columns.
 9. The homomorphic computation device according to claim 1, wherein the processing circuitry generates the ciphertext ct* including an encryption element C* generated by performing homomorphic computation g on the encryption element C^(˜), acquires the generated ciphertext ct*, and converts a ciphertext ct* into a ciphertext ct^(˜) by converting, with the encryption element F, the encryption element C* included in the ciphertext ct* into an encryption element C^(˜) that can be decrypted with a decryption key sk_(F)′ different from the decryption key sk_(F).
 10. An encryption system comprising: an encryption device to generate a ciphertext ct including an encryption element C in which a plaintext μ is encrypted, the encryption element C being decryptable by a decryption key sk_(f) corresponding to a policy f satisfied by the attribute x, an encryption element C_(x) created using an attribute x, and an encryption element F in which the plaintext μ is encrypted, the encryption element F only being decryptable by a different key than the decryption key sk_(f) corresponding to the policy f satisfied by the attribute x, the different key corresponding to a policy, which is different than the policy f, and which is satisfied by an attribute different than the attribute x; and a homomorphic computation device to convert the ciphertext ct into a ciphertext ct^(˜) by converting, with the encryption element F, the encryption element C_(x) included in the ciphertext ct generated by the encryption device, into an encryption element C^(˜) that can be decrypted with a decryption key sk_(F) corresponding to a policy set F that is a set of policies including the policy f and the policy different than the policy f, and perform homomorphic computation g on the converted ciphertext ct^(˜) to generate a ciphertext ct*.
 11. A non-transitory computer readable medium storing a homomorphic computation program to cause a computer to execute: a ciphertext acquisition process of acquiring a ciphertext ct including an encryption element C in which a plaintext μ is encrypted, the encryption element C being decryptable by a decryption key sk_(f) corresponding to a policy f satisfied by the attribute x, an encryption element C_(x) created using an attribute x, and an encryption element F in which the plaintext μ is encrypted, the encryption element F only being decryptable by a different key than the decryption key sk_(f) corresponding to the policy f satisfied by the attribute x, the different key corresponding to a policy, which is different than the policy f, and which is satisfied by an attribute different than the attribute x; a policy acquisition process of acquiring a policy set F that is a set of policies including the policy f and the policy different than the policy f; a ciphertext conversion process of converting the ciphertext ct into a ciphertext ct^(˜) by converting, with the encryption element F, the encryption element C_(x) included in the ciphertext ct acquired in the ciphertext acquisition process, into an encryption element C^(˜) that can be decrypted with a decryption key sk_(F) corresponding to the policy set F acquired in the policy acquisition process; and a homomorphic computation process of performing homomorphic computation g on the ciphertext ct^(˜) converted in the ciphertext conversion process, to generate a ciphertext ct*. 